RSS
 

Posts Tagged ‘IDA’

Hackvent 2019: Day 23

24 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 23 December 2019

 

Challenge

HV19.23 Internet Data Archive

Solution

We are presented with the following website:

 

We are allowed to enter a username and select some data to download except the flag which is classified. Upon doing this a unique zip file is generated for us containing our files and we are also provided with a password that allows us to open the encrypted zip file.

By playing around with the website we learn the following things:

  • Usernames are truncated to be at most 12 characters long (alphanumberis)
  • Passwords are always 12 digits (alphanumeric) and look like this: BxxRGJAMpmbJ
  • All links to download files contain the input username with -data appended. Example for username of mohttp://whale.hacking-lab.com:23023/tmp/mo-data.zip
  • Can pass in req instead of req[] as PHP post argument to trigger PHP error:
  • Can pass in username[] instead of username as PHP post argument to make name be parsed as Array: http://whale.hacking-lab.com:23023/tmp/Array-data.zip
  • We cannot use the username Santa (it is explicitly disallowed!)

 

We shortly find out that the tmp directory where files are hosted has indexing on and we can see all the files that are being created. By sorting by oldest files first we discover two interesting files:

We download Santa-data.zip and discover that it contains a file called flag.txt! However, we do not know the password for this archive.
Assuming alphanumerics are used as the charset for the password our bruteforce complexity is 62^12 which not feasible.

Next, we inspect the phpinfo for any valuable information, we take note of the PHP version 7.4.1 and that the sodium module is loaded (although this doesn’t matter).

Next we write a password generator script to generate a lot of tokens:

After generating 1000 passwords we run frequency analysis on the payload and discover that certain characters never appear. These characters are 0, 1, l, I, N, n, O, o. Perhaps these characters are committed as they look similar to other characters. Eliminating this characters from our charset brings down our bruteforce complexity to 54^12 which is still not feasible.

We note the title of the challenge page IDA Pro and after researching for IDA Pro PRNG we come across this interesting article:
https://devco.re/blog/2019/06/21/operation-crack-hacking-IDA-Pro-installer-PRNG-from-an-unusual-way-en/

The author describes the same exact charset that is in use here so we try to use the same approach to break the PRNG used to encrypt the Santa-data.zip file. We decide to use PHP for this with the same version 7.4.1 as the challenge website to ensure consistency.

We make the following bruteforce.php script:

This script simply generates a random 12 length password using the first 12 bytes of randomness generated by the RNG for each seed between 0 to 2^32. However, we cannot save this data to disk easily so we will instead stream the data to a ZIP cracking utility like John the Ripper to attempt to crack the file on the fly.

We run:

After about 2 minutes we have a successful crack:

Thus our password is Kwmq3Sqmc5sA and the original seed used was 4333287.
We open flag.txt to get our daily flag!

Flag:  HV19{Cr4ckin_Passw0rdz_like_IDA_Pr0}

 
No Comments

Posted in Hackvent 2019

 

Hackvent 2019: Day 20

20 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 20 December 2019

 

Challenge

HV19.20 i want to play a game

Resource mirror: HV19-game.zip

Solution

We are given a binary and told it is something obscure we have to reverse. We download the binary and open it in IDA. After some digging around we realise the file has something to do with the PS4 and this is consistent with the hint in the zip file name too.

We dig around in IDA where we find a single main()  method. We see that we seem to read in a file called  /mnt/usb0/PS4UPDATE.PUP and then take the MD5 hash of this file and compare it to f86d4f9d2c049547bd61f942151ffb55. After googling this hash we find the file in question is the PS4 5.05 firmware.

We decide to decompile the code to C and are presented with the following:

The above decompilation is not perfect but we see the general structure of the program. First we initialise an array of 32 bytes with some data from byte_300 and store this as our flag data. Next we open our  /mnt/usb0/PS4UPDATE.PUP file. We initialise our file pointer value to  0x1337 and start looping, adding  0x1337 to our seek pointer each iteration. Finally, we read 26 bytes from the file and xor this with the current flag dataAt the end, we should our flag in our array.

We translate this to python code and get the following:

Running this gives us our flag!

Flag:  HV19{C0nsole_H0mebr3w_FTW}

 
No Comments

Posted in Hackvent 2019

 

Hackvent 2019: Day 12

13 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 12 December 2019

 

Challenge

HV19.12 back to basic

Resources: HV19.12-BackToBasic.zip

Solution

We download the above zip file and find a Windows PE executable called  BackToBasic.exe.
Upon opening the file we are prompted for some input but our input is always wrong.

Initially, we open this file in IDA Pro and inspect it. Its a smallish executable that was originally written in Visual Basic.
We decide to complete this challenge using only static analysis. We use a combination of IDA Pro and another tool called VB Decompiler.
This decompiler was specifically designed to decompile Visual Basic code so its a good bet!

We get the following decompilation result:

We clean this up a little by working through the variables making sense of it all:

After a while we understand what the code is basically doing.
Our input string is first checked to ensure the first 4 characters equal HV19. If this condition is met, we check that our input string has a length of 33 characters. If this condition is met, we perform a loop from 6 to 32 inclusive. These bounds are interesting as Visual Basic starts indexes at 1 and the first 5 characters of our flag are typically HV19{ and the last character is }. Basically we are looping over the indexes belonging to the flag content. Next, we seem to perform some XOR operation on the ordinal of the character (VB Asc command) and some other unknown value. It took a little time to realise this other value was the current string index (which I named char_counter above). Finally, a check is made with the string  6klzic<=bPBtdvff'yFI~on//N. It is important to note that the string is UTF-16 little endian encoded.

Therefore, we simply have to reverse the operation to get our original flag. In other words, take our comparison string  6klzic<=bPBtdvff'yFI~on//N and XOR it with the corresponding index (6,7,etc).

Psuedocode:

We write a little python script to do this for us which provides us with our flag:

Flag:  HV19{0ldsch00l_Revers1ng_Sess10n}

 
No Comments

Posted in Hackvent 2019

 

HACKvent 2015: Day 14

14 Dec 2015
CTF: Hackvent 2015
Link to challenge: http://hackvent.hacking-lab.com
Date Completed: 14 December 2015

Challenge

The following Windows binary was also provided: Download EXE File

 

Solution

I download the binary and run it and am presented with the following program:

Hackvent Day 14 Program

It turns out that this program will tell you (via a messagebox) if you enter in the correct daily nugget or not!
So all we have to do is check the binary to see what causes the successful message box to appear.

Note: You can do this challenge using IDA or a .NET disassembler like ILSpy (link).

If using IDA, its useful to be familiar with CIL instructions.

ILSpy Approach
I decided to use ILSpy as it is apparently a very good .NET disassembler. I open the program and load the binary and it disassembles it into various classes as you would expect.
We are mainly interested in the hv15 class. By searching for strings like yes, that is the key! we realise the only important functions we need to look at are Button1_Click and  Encrypt .

This is the code for both:

Button1_Click

 

Encrypt

 

It becomes super simple to solve this challenge at this stage. The input parameter is just the text we enter into the textbox and the pass parameter is  Form1.GlobalVariables.assembly which is defined to be the string  __ERROR_HANDLER. All we have to do is reverse the encryption starting with an input that equals  zV5/UFU8PUD3N2T49IBuCwvGzCLYz39tkMZts7rfBU4=. We first decode the base64 string into a byte array and then run the program again but with  rijndaelManaged.CreateEncryptor() changed to rijndaelManaged.CreateDecryptor().

I wrote a small C# program that accomplishes what we want to do:

We run the above program and get our flag!

Flag:  HV15-uQEJ-4HPX-Qcau-Xvt7-NAlP

 
No Comments

Posted in Hackvent 2015